Network Security Defense Fernando Gont 8th Regional CaribNOG Meeting Willemstad, Curacao. September 29-October 3, 2014 About... ●I have worked in security assessment of communication protocols for: ●UK NISCC (National Infrastructure Security Co-ordination Centre) ●UK CPNI (Centre for the Protection of National Infrastructure) ●Currently working as a security researcher and consultant for SI6 Networks (http://www.si6networks.com) ●Active participant at the Internet Engineering Task Force (IETF) ●Moderator of LACNIC's security forum ●More information at: http://www.gont.com.ar 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of this Presentation 3 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of this Presentation ●Do a brief introduction of Information and Network Securty ●Walk up the protocol stack ●Discuss vulnerabilities ●Discuss possible mitigation techniques 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of Information Security 5 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of Information Security ●Confidentiality ●Prevent unauthorized use or disclosure of information ●Integrity ●Safeguards the accuracy and completeness of information ●Availability ●authorized users have reliable and timely access to information 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Sometimes these goals conflict ●privacy vs. company (or govt) wants to be able to see what you’re doing ●losing data vs disclosure (copies of keys) ●denial of service vs preventing intrusion ●Source: Radia Perlman's “Network Security Protocols: A Tutorial” (2004) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Some Information Security Concepts 8 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Access Control ●The ability to permit or deny the use of an object by a subject. ●It provides 3 essential services: ●Authentication (who can login) ●Authorization (what authorized users can do) ●Accountability (what a user did) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Authentication ●A means to verify or prove a user’s identity ●The term “user” may refer to: ●Person ●Application or process ●Machine or device ●To prove identity, a user must present either of the following: ●What you know (password) ●What you have (token, key, etc.) ●Who you are (biometrics) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Authorization ●Defines the user’s rights and permissions on a system ●Grants a user access to a particular resource and what actions he is permitted to perform on that resource ● Access criteria based on the level of trust: ●Roles ●Groups ●Location ●Time ●Transaction type 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Accountability ●Security goal that generates the requirement for actions of an entity to be traced uniquely to that entity, e.g.: ●Senders cannot deny sending information ●Receivers cannot deny receiving it ●Users cannot deny performing a certain action 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Integrity ●Security goal that generates the requirement for protection against either intentional or accidental attempts to violate data or system integrity ●Data integrity ●The property that data has when it has not been altered in an unauthorized manner ●System integrity ●The property that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Compartmentalization ●“Limit the damage that can be produced by an event” ●e.g., compartments and watertight subdivision's of a ship's hull: 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Compartmentalization (II) ●Examples: ●Multiple smaller subnets vs. single large subnets ●Single admin account vs. multiple per-service admin accounts 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Vulnerability ●A weakness in security procedures, network design, or implementation that can be exploited to violate a security policy ●Software bugs ●Configuration mistakes ●Network design flaw ●Lack of encryption 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Attack ●The active exploitation of a vulnerability 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Attack types ●Masquerading ● An entity claims to be another entity ●Eavesdropping ●An entity reads information it is not intended to read ●Authorization violation ●An entity uses a service or resource it is not intended to use ●Loss or modification of information ●Data is being altered or destroyed 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Attack types (II) ●Denial of communication acts (repudiation) ●An entity falsely denies its participation in a communication act ●Denial of Service ●Any action that aims to reduce the availability and/or correct functioning of services or systems 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Network Reconnaissance Attacks ●Unauthorized users to gather information about the network or system before launching other more serious types of attacks ●Information gained from this attack is used in subsequent attacks ●Examples of relevant information: ●Names, email addresses ●Nodes' addresses ●Domain names ●Network topology 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Denial Of Service Attacks ●Attempt to make a machine or network resource unavailable to its intended users. ●Methods to carry out this attack may vary ●Saturating the target with external communications requests (such that it can’t respond to legitimate traffic) – SERVER OVERLOAD ●Simply ●Examples: ●SYN flooding ●Reflection attacks ●DDoS attacks are more dynamic and come from a broader range of attackers 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Network Attacks 22 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Introduction ●OSI Reference model: 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Introduction (II) ●DARPA Reference model: OSI layer-7 OSI layer-4 OSI layer-3 OSI layer-1 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Layer-2 Attacks 25 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Introduction ●Layer-2 attacks include: ●Eavesdropping (sniffing) ●ARP Spoofing ●MAC flooding ●DHCPv4/DHCPv6 attacks ●IPv6 ND attacks ●IPv6 SLAAC attacks 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Layer-2 Attacks Eavesdropping 27 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Eavesdropping (sniffing) attacks ●Goal: Gain unauthorized access to information being transmitted over a communications channel ●For “shared media” networks, this can be as simple as running the so- called “protocol analyzers”: ●e.g. Wireshark 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Mitigating Eavesdropping Attacks ●Do not use insecure protocols ●HTTPS vs HTTP ●Telnet vs. SSH ●etc. ●Where possible, prevent unnecessary access (“compartmentalize”) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Layer-2 Attacks ARP attacks 30 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 ARP attacks ●The Address Resolution Protocol (ARP) maps IP addresses into link- layer addresses ●It works (roughly) as follows: ●Host A wants to send a packet to Host B ●Host A sends an ARP request to all nodes “Who has IP address B?” ●Host B sends an ARP response to Host A: “I have IP address B, and my MAC address is 11:22:33:44:55:66” ●Host A can now send its packets ●Forging ARP response packets can be used for Man In the Middle Attacks 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 ARP attacks mitigation ●ARP cache poisoning prevention ●Static ARP cache entries ●ARP inspection (e.g., Cisco's DAI) ●ARP spoofing detection ●arpwatch 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Static ARP entries ●Add a static entry In Linux: ●arp -i INTERFACE -s IP_ADDRESS